Stop Making These 5 Configuration Mistakes

5 Common Configuration Mistakes

Who is responsible for the current state of cybersecurity? At first glance, this looks like a simple question with a straightforward answer, but when you think about it, you'll see that it's a bit more complicated.

On the one hand, the hackers are the ones breaking the law, and they should be held responsible for their own actions. On the other, however, cybercriminals wouldn't be doing what they're doing if it wasn't for some mistakes made by both service providers and users.

The enemy isn't as powerful as you might think. More often than not, a successful cyberattack is not dependent on an especially sophisticated criminal who is capable of breaking the security of even the savviest users and organizations. Regardless of whether we're talking about a novelty IoT gadget or the server of a high-profile organization, often, a successful attack is down to one or more common configuration errors that could have been avoided. Today, we'll talk about a few of the basic mistakes that people make every day, and we'll give you some examples of real-world incidents that illustrate the potential consequences.

Using default usernames and passwords

Some of you might remember October 21, 2016. Back then, a large-scale Distributed Denial of Service (DDoS) attack brought down DNS provider Dyn and made quite a few of the world's most popular online services inaccessible in large parts of Europe and North America. The amount of traffic that flooded Dyn's infrastructure was truly unprecedented, and it was coming from the now-infamous Mirai.

Mirai is a malware family that came to prominence in 2016 after it gathered a large number of IoT gadgets into a powerful botnet and used it for some of history's biggest DDoS attacks. At its peak, the botnet consisted of hundreds of thousands of internet-connected cameras, DVRs, baby monitors, routers, smart locks, etc. You might think that infecting all these devices would be a massive undertaking, but in reality, it was all down to a list of 60 default username and password combinations.

The problem of default credentials is pretty big. In fact, it's so big, that it's managed to attract some legislative attention. The State of California, for example, is trying to force vendors into configuring their devices in a way that would prevent users from installing them without assigning a new password. The fact that lawmakers are trying to address the problem is good news, but we'll need to wait and see if their attempts will be successful. In the meantime, changing the default passwords on all your internet-connected devices should be high on your to-do list.

Incorrect password management

Last week, hundreds of developers found out that the code in their private git repositories had been replaced with a ransom note which stated that if they want their data back, they need to fork out about $600 worth of bitcoin. The curious thing about the attack was that it was not limited to a single provider. Users of the three most popular git hosting services, GitHub, GitLab, and Bitbucket, were all affected. Did all these services get hacked at the same time?

After investigating the breach, GitLab concluded that its systems hadn't been compromised – something the other providers stated as well. At the same time, security researchers told ZDNet that they had seen someone scanning for git config files which could have included login credentials. In the end, it was discovered that the hackers managed to either guess the victims' passwords or scrape them from files that stored them in plaintext.

We recently talked about how big technology companies like Microsoft are trying desperately to replace the traditional authentication mechanisms with something more robust and easier to use, but we also mentioned that for the time being at least, the alternatives are not perfect, and the adoption is still limited. Although the password seems to be on its way to its demise, developing proper password management habits is more important than ever.

Relying on outdated software

In September 2017, Equifax lost the full names, Social Security numbers, driver license numbers, addresses, and birth dates of close to 150 million Americans.

It is one of the most severe data breaches of recent years, and to find out what enabled it, you need to rewind the clock back to March 2017 when researchers found a security flaw in Apache Struts – a programming framework used by Equifax as well as numerous other large-scale organizations all around the world. The vulnerability, tracked as CVE-2017-5638, allowed remote code execution, and shortly after the information was made public, the criminals started attacking Apache Struts installations.

A patch was quickly released, and security experts urged organizations to update their web applications as a matter of urgency. For the next six months, however, Equifax failed to do it, and it (as well as its unsuspecting customers) ended up paying a rather hefty price.

Security flaws are found in all sorts of software applications every single day. Fortunately, in most cases, developers handle them responsibly and waste no time releasing patches. Sadly, they can't install the updates remotely. Individual users or organizations that rely on the said products to do business are responsible for this, and hopefully, incidents like the Equifax breach have taught people what the implications of using out-of-date apps can be.

Poor access management

You'd think that when it comes to storing information, deciding who has access to what is a fairly straightforward task. As it turns out, this is not strictly the case. Less than two months ago, security researchers found a couple of Amazon S3 buckets which, upon closer inspection, turned out to contain personal details of over 540 million Facebook users. One of the databases was put online by a now-defunct game developer, and the rest of the data had been collected by a Mexican marketing company. All that was needed to access it was an internet connection.

This is just one of the many cases we've seen where vendors knowingly put data on the internet and fail to think about the consequences. Try to avoid this mistake.

If a piece of information doesn't need to be available online, don't put it there. And if it does, make sure only the correct people have access to it. Put all the important data behind strong passwords, and try to limit the number of IPs that can view and change the information as much as possible. Storage providers give you numerous different options for customizing what is and what isn't visible to the rest of the world, and there really is no excuse for not taking advantage of them.

Incorrect network configuration

Do you remember WannaCry? Although it made headlines nearly two years ago, it's still by far the biggest ransomware attack the world has ever seen. It broke out on May 12, 2017, and in total, it managed to cripple more than 200 thousand computers in 150 countries. A few hours after the initial breakout, security expert Marcus Hutchins activated a kill switch and brought the attack to an abrupt end, but by that time, WannaCry had already managed to cause hundreds of millions of dollars' worth of damage.

It was spreading like the proverbial wildfire because of an NSA hacking tool known as EternalBlue. And EternalBlue worked because there was a flaw in the first version of the Server Message Block (abbreviated as SMBv1) protocol.

Once again, Microsoft had released a patch which many people had failed to install, but even if you disregard this, SMB as a whole was already a pretty ancient protocol at the time, and its first incarnation was more or less obsolete. Yet, thousands of networks had it activated which made the WannaCry attack possible.

Properly configuring a local network might not be the easiest thing in the world, but it's definitely not impossible. All you need to know is which protocols and ports you need to use in order to guarantee hassle-free communication between all your devices. Indeed, you might need to do some research, and if your network is especially complicated, you should probably ask an expert for some advice. As the people who lost their files to WannaCry can testify, however, the effort is definitely worth it.

Security must be a priority from the very start

You can't predict everything. The online world is changing by the second, and attackers are finding new ways of compromising devices every day. You must be aware of their tried and tested techniques, though, and you should be confident that you've done enough to protect your data before you've plugged the internet cable. Avoiding the mistakes we discussed today is just the beginning.

May 10, 2019

Leave a Reply